FISMA Security Approach Falls Short, Fed IT Pros Say

Primary tool for defending government information systems is inadequate in the battle against cyber threats and attacks, federal IT security managers say.

Iris Scans: Security Technology In Action

(click image for larger view)

The primary statutory framework for defending government information systems -- the Federal Information Security Management Act (FISMA) -- is falling short in the battle against cyber threats and attacks, creating a compelling need for new strategies, such as continuous monitoring, to improve security at agencies, federal cybersecurity professionals say.

Only about half of the federal IT security managers polled in a survey released this week said that FISMA has improved security at their agencies. Just 27% reported that their agencies are "currently perfectly compliant" with FISMA.

The polling figures suggest that efforts to push FISMA compliance have made little headway since a March 2012 assessment conducted by the Office of Management and Budget.

While 62% of respondents in the new survey believed that increased FISMA compliance would improve security, the survey also revealed that many security managers lack overall confidence in FISMA. They said FISMA is antiquated (11%), is insufficient in dealing with today's increasingly sophisticated threat landscape (21%), and encourages compliance rather than risk identification and assessment (28%). Moreover, 86% reported that FISMA compliance increases costs.

The findings were based on an online survey of more than 200 federal IT managers conducted in July, and made available in a report, "FISMA Fallout," produced by MeriTalk and underwritten by NetApp.

An effort to reform FISMA, which was signed into law in 2002 and requires the head of each agency to implement policies and procedures to reduce IT security risks, is underway in Congress. The Federal Information Security Amendments Act of 2013 (HR 1163) was passed unanimously by the House last April and referred to the Senate. The bill, introduced by Rep. Darrell Issa (R-Calif.), establishes stronger oversight of federal agency IT systems by focusing on "automated and continuous monitoring" of cybersecurity threats and by regular "threat assessments."

Approximately one-fourth of the respondents in the survey (27%) agreed that FISMA could be improved with new requirements such as continuous monitoring.

Asked how FISMA can be reformed, managers in the survey recommended:

-- Get rid of the scorecard mindset and improve metrics as whole;

-- Take into account a realistic picture of agency budgets in light of sequestration;

-- Require less rote compliance documentation and more assessment and risk analysis;

-- Establish clear requirements that need to be met for different risk levels; and

Beyond issues directly related to FISMA, only 22% of federal security pros in the survey rated their current cybersecurity as sustainable. Another 22% said their security systems were sustainable -- but for only the next 12 months. And 21% said their systems were currently near the limit of sustainability.

In addition, current network capacity is also hindering security efforts, the survey found. More than half (55%) of IT professionals polled said their agency networks are either increasingly overloaded with data or they were not able to keep up with the amount of data already crossing their networks.

While these findings may be a fresh take on an antiquated law, the reality is that IT security pros -- and NIST -- have long since dismissed relying on FISMA to address security threats in favor of risk-based assessments and continuous monitoring. The irony is, by the time Congress updates FISMA to require continuous monitoring, agencies will be on to a more comprehensive approach. The Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) approach is where agenies need to be headed. In the meantime, let's hope Congress gets agencies out of the business of creating binders of paper documents every year to comply with FISMA's current requirements.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.